CVE-2017-3199

The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.
References
Link Resource
https://www.kb.cert.org/vuls/id/307983 Third Party Advisory US Government Resource
https://codewhitesec.blogspot.com/2017/04/amf.html Exploit Third Party Advisory
http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution Third Party Advisory
http://www.securityfocus.com/bid/97382 Third Party Advisory VDB Entry
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:graniteds:graniteds:3.1.1:*:*:*:*:*:*:*

Information

Published : 2018-06-11 10:29

Updated : 2020-02-06 07:02


NVD link : CVE-2017-3199

Mitre link : CVE-2017-3199


JSON object : View

CWE
CWE-502

Deserialization of Untrusted Data

Advertisement

dedicated server usa

Products Affected

graniteds

  • graniteds